Loading...
Searching...
No Matches
tenduke.sdk.core.auth.AbstractPkceClient Class Referenceabstract
Detailed Description
Base class for implementation of an OAuth PKCE flow client.
Note: the second phase construction method init() must be used prior to running an OAuth flow.
Inheritance diagram for tenduke.sdk.core.auth.AbstractPkceClient:
Public Member Functions | |
| AbstractPkceClient (final AuthConfig config, final OkHttpProvider okHttpProvider, final JwtServiceProvider jwtServiceProvider, final ObjectMapper mapper) | |
| Class constructor. | |
| VerifiedOAuthTokenResponse | requestToken (final String codeVerifier, final String code, final URI redirectUri) throws IOException |
| Makes an access token request to the authorization server. | |
| void | registerTokenResponseSubscriber (final OAuthTokenResponseSubscriber subscriber) |
| Adds a token response subscriber for receiving callbacks for each token response this client gets. | |
| boolean | unregisterTokenResponseSubscriber (final OAuthTokenResponseSubscriber subscriber) |
| Removes a token response subscriber that was previously registered. | |
 Public Member Functions inherited from tenduke.sdk.core.auth.AbstractOAuthClient | |
| AbstractOAuthClient (final AuthConfig config, final OkHttpProvider okHttpProvider, final JwtServiceProvider jwtServiceProvider, final ObjectMapper mapper) | |
| Class constructor. | |
| void | init () |
| Second phase construction hook provided for controlling potentially slow loading of remote OpenId configuration. | |
| VerifiedOAuthTokenResponse | refreshToken (final String refreshToken) throws IOException |
| Makes an access token refresh request to the authorization server. | |
| boolean | checkIfJwksUriIsConfigured () |
| Checks if this client instance has configuration for the JWKS endpoint. | |
| boolean | reloadJwks () |
| Requests this client instance to reload keys from the JWKS endpoint. | |
Protected Member Functions | |
| PkceRequestInfo | buildAuthorizationUrl (final URI redirectUri, final String codeVerifier, final String codeChallenge, final String state) |
| Builds the URL where the user is to be sent for authorization. | |
| String | generateCodeVerifier () |
| Generates the PKCE code verifier, which is the mechanism by which the client proves in the call to the token endpoint that it was the one that initiated the authorization request. | |
| String | generateCodeChallange (final String codeVerifier) |
| Generates the PKCE code challenge, which is derived from the code verifier that is sent in the authorization request, to be verified against later. | |
| String | generateCodeChallange (final String codeVerifier, final String messageDigestAlgorithm) |
| Generates the PKCE code challenge, which is derived from the code verifier that is sent in the authorization request, to be verified against later. | |
| String | generateState () |
| Generates the state for the PKCE flow. | |
| void | assertStateIsValid () |
| Analyzes state and configuration. | |
| void | assertValidateAuthorizeCallbackWaitArgs (final boolean waitResults, final long maxWaitSeconds) |
| Validates OAuth authorization step wait settings are sane. | |
| boolean | supportsTokenRefresh () |
| Returns flag that tells if the OAuth client implementation supports token refresh. | |
| Protected Member Functions inherited from tenduke.sdk.core.auth.AbstractOAuthClient | |
| VerifiedOAuthTokenResponse | parseTokenResponse (final Response response) |
| Parses a token response received from the authorization server (Identity Provider). | |
| void | loadOpenIdConnectConfiguration () |
| Loads OpenId configuration from configured URL (only if discovery URL is available in configuration). | |
| String | formatConfigMissingMessage (final String formatValue) |
| Formats a message for a missing configuration value. | |
| String | formatRuntimeDependencyMissingMessage (final String formatValue) |
| Formats a message for a missing configuration value. | |
| boolean | updateSigningKeys (final OpenIdConfiguration effectiveOidcConfig, final JwtServiceProvider jwtSp) |
| Updates signing keys based on OpenIdConfiguration that has been loaded or changed. | |
Constructor & Destructor Documentation
◆ AbstractPkceClient()
| tenduke.sdk.core.auth.AbstractPkceClient.AbstractPkceClient | ( | final AuthConfig | config, |
| final OkHttpProvider | okHttpProvider, | ||
| final JwtServiceProvider | jwtServiceProvider, | ||
| final ObjectMapper | mapper ) |
Class constructor.
- Parameters
-
config The configuration to use for OAuth client_id and endpoints at the authorization provider, okHttpProvider Provides OkHttpClient instance(s). jwtServiceProvider Provides JwtService instances. mapper Jackson object mapper, needed for parsing access token response JSON.
Member Function Documentation
◆ assertStateIsValid()
|
protected |
Analyzes state and configuration.
Throws IllegalStateException if:
- runtime dependencies have not been provided
- missing or invalid configuration is encountered
Analysis regarding invalid values is a basic syntactical check to see the configured values make sense.
Reimplemented from tenduke.sdk.core.auth.AbstractOAuthClient.
Reimplemented in tenduke.sdk.core.auth.WebAppPkceClient.
◆ assertValidateAuthorizeCallbackWaitArgs()
|
protected |
Validates OAuth authorization step wait settings are sane.
- Parameters
-
waitResults flag defining if results should be waited for. maxWaitSeconds maximum number of seconds for how long results should beach waited for.
- Exceptions
-
IllegalArgumentException if waitResultsis set to true butmaxWaitSecondsare set to less than zero.
◆ buildAuthorizationUrl()
|
protected |
Builds the URL where the user is to be sent for authorization.
- Parameters
-
redirectUri The client's redirect URI. codeVerifier The code verifier from initiating the PKCE flow. codeChallenge The code challenge from PKCE flow. state The client's OAuth state.
- Returns
- URL where the user is to be sent for authorization.
◆ generateCodeChallange() [1/2]
|
protected |
Generates the PKCE code challenge, which is derived from the code verifier that is sent in the authorization request, to be verified against later.
This overload chooses CODE_CHALLENGE_MESSAGE_DIGEST as the message digest algorithm used to hash the code challenge bytes.
- Parameters
-
codeVerifier The code verifier to use for creating the challenge.
- Returns
- The PKCE code challenge.
◆ generateCodeChallange() [2/2]
|
protected |
Generates the PKCE code challenge, which is derived from the code verifier that is sent in the authorization request, to be verified against later.
- Parameters
-
codeVerifier The code verifier to use for creating the challenge. messageDigestAlgorithm The algorithm to use for hashing bytes for the code challenge value.
- Returns
- The PKCE code challenge.
◆ generateCodeVerifier()
|
protected |
Generates the PKCE code verifier, which is the mechanism by which the client proves in the call to the token endpoint that it was the one that initiated the authorization request.
- Returns
- a high-entropy cryptographic random String as specified in RFC: RFC7636.
◆ generateState()
|
protected |
Generates the state for the PKCE flow.
- Returns
- A String based on a random UUID.
◆ registerTokenResponseSubscriber()
| void tenduke.sdk.core.auth.AbstractPkceClient.registerTokenResponseSubscriber | ( | final OAuthTokenResponseSubscriber | subscriber | ) |
Adds a token response subscriber for receiving callbacks for each token response this client gets.
- Parameters
-
subscriber The subscriber to add.
◆ requestToken()
| VerifiedOAuthTokenResponse tenduke.sdk.core.auth.AbstractPkceClient.requestToken | ( | final String | codeVerifier, |
| final String | code, | ||
| final URI | redirectUri ) throws IOException |
Makes an access token request to the authorization server.
The value of codeVerifier and redirectUri are given in the return value from calling authorize(). The value of code is provided to the Consumer passed in as an argument to the call to authorize().
- Parameters
-
codeVerifier The code verifier from initiating the PKCE flow. code The authorization code received in the OAuth callback. redirectUri The client's redirect URI.
- Returns
- The token response provided by the authorization server. Note: The return value may be null, which happens if no response body is provided by the access token request to the authorization server. For not null return values you may use the
OAuthTokenResponse#checkIsSuccess()andOAuthTokenResponse#checkIsError()methods ofOAuthTokenResponseto determine if getting the id token or error code is the next step.
- Exceptions
-
IOException for errors opening the desktop browser needed for the authorization stage.
◆ supportsTokenRefresh()
|
protected |
Returns flag that tells if the OAuth client implementation supports token refresh.
- Returns
- true if token refresh is supported, false otherwise
Reimplemented from tenduke.sdk.core.auth.AbstractOAuthClient.
◆ unregisterTokenResponseSubscriber()
| boolean tenduke.sdk.core.auth.AbstractPkceClient.unregisterTokenResponseSubscriber | ( | final OAuthTokenResponseSubscriber | subscriber | ) |
Removes a token response subscriber that was previously registered.
- Parameters
-
subscriber The subscriber to remove.
- Returns
- true if the subscriber was found and removed, false otherwise.
The documentation for this class was generated from the following file:
- auth/src/main/java/tenduke/sdk/core/auth/AbstractPkceClient.java
